* [PATCH] proc/kcore: Don't bounds check against address 0
[not found] <1039518799.26129578.1525185916272.JavaMail.zimbra@redhat.com>
@ 2018-05-01 20:11 ` Laura Abbott
2018-05-01 21:46 ` Andrew Morton
0 siblings, 1 reply; 3+ messages in thread
From: Laura Abbott @ 2018-05-01 20:11 UTC (permalink / raw)
To: Dave Anderson, Kees Cook, akpm
Cc: Laura Abbott, linux-kernel, linux-mm, linux-arm-kernel,
Ard Biesheuvel, Ingo Molnar, Andi Kleen
The existing kcore code checks for bad addresses against
__va(0) with the assumption that this is the lowest address
on the system. This may not hold true on some systems (e.g.
arm64) and produce overflows and crashes. Switch to using
other functions to validate the address range.
Tested-by: Dave Anderson <anderson@redhat.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
---
I took your previous comments as a tested by, please let me know if that
was wrong. This should probably just go through -mm. I don't think this
is necessary for stable but I can request it later if necessary.
---
fs/proc/kcore.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index d1e82761de81..e64ecb9f2720 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, unsigned long nr_pages, void *arg)
{
struct list_head *head = (struct list_head *)arg;
struct kcore_list *ent;
+ struct page *p;
+
+ if (!pfn_valid(pfn))
+ return 1;
+
+ p = pfn_to_page(pfn);
+ if (!memmap_valid_within(pfn, p, page_zone(p)))
+ return 1;
ent = kmalloc(sizeof(*ent), GFP_KERNEL);
if (!ent)
return -ENOMEM;
- ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT));
+ ent->addr = (unsigned long)page_to_virt(p);
ent->size = nr_pages << PAGE_SHIFT;
- /* Sanity check: Can happen in 32bit arch...maybe */
- if (ent->addr < (unsigned long) __va(0))
+ if (!virt_addr_valid(ent->addr))
goto free_out;
/* cut not-mapped area. ....from ppc-32 code. */
if (ULONG_MAX - ent->addr < ent->size)
ent->size = ULONG_MAX - ent->addr;
- /* cut when vmalloc() area is higher than direct-map area */
- if (VMALLOC_START > (unsigned long)__va(0)) {
- if (ent->addr > VMALLOC_START)
- goto free_out;
+ /*
+ * We've already checked virt_addr_valid so we know this address
+ * is a valid pointer, therefore we can check against it to determine
+ * if we need to trim
+ */
+ if (VMALLOC_START > ent->addr) {
if (VMALLOC_START - ent->addr < ent->size)
ent->size = VMALLOC_START - ent->addr;
}
--
2.14.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] proc/kcore: Don't bounds check against address 0
2018-05-01 20:11 ` [PATCH] proc/kcore: Don't bounds check against address 0 Laura Abbott
@ 2018-05-01 21:46 ` Andrew Morton
2018-05-01 22:26 ` Laura Abbott
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2018-05-01 21:46 UTC (permalink / raw)
To: Laura Abbott
Cc: Dave Anderson, Kees Cook, linux-kernel, linux-mm,
linux-arm-kernel, Ard Biesheuvel, Ingo Molnar, Andi Kleen
On Tue, 1 May 2018 13:11:43 -0700 Laura Abbott <labbott@redhat.com> wrote:
> The existing kcore code checks for bad addresses against
> __va(0) with the assumption that this is the lowest address
> on the system. This may not hold true on some systems (e.g.
> arm64) and produce overflows and crashes. Switch to using
> other functions to validate the address range.
>
> Tested-by: Dave Anderson <anderson@redhat.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> ---
> I took your previous comments as a tested by, please let me know if that
> was wrong. This should probably just go through -mm. I don't think this
> is necessary for stable but I can request it later if necessary.
I'm surprised. "overflows and crashes" sounds rather serious??
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] proc/kcore: Don't bounds check against address 0
2018-05-01 21:46 ` Andrew Morton
@ 2018-05-01 22:26 ` Laura Abbott
0 siblings, 0 replies; 3+ messages in thread
From: Laura Abbott @ 2018-05-01 22:26 UTC (permalink / raw)
To: Andrew Morton
Cc: Dave Anderson, Kees Cook, linux-kernel, linux-mm,
linux-arm-kernel, Ard Biesheuvel, Ingo Molnar, Andi Kleen
On 05/01/2018 02:46 PM, Andrew Morton wrote:
> On Tue, 1 May 2018 13:11:43 -0700 Laura Abbott <labbott@redhat.com> wrote:
>
>> The existing kcore code checks for bad addresses against
>> __va(0) with the assumption that this is the lowest address
>> on the system. This may not hold true on some systems (e.g.
>> arm64) and produce overflows and crashes. Switch to using
>> other functions to validate the address range.
>>
>> Tested-by: Dave Anderson <anderson@redhat.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>> I took your previous comments as a tested by, please let me know if that
>> was wrong. This should probably just go through -mm. I don't think this
>> is necessary for stable but I can request it later if necessary.
>
> I'm surprised. "overflows and crashes" sounds rather serious??
>
It's currently only seen on arm64 and it's not clear if anyone
wants to use that particular combination on a stable release.
I think a better phrase is "this is not urgent for stable".
Thanks,
Laura
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-01 22:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1039518799.26129578.1525185916272.JavaMail.zimbra@redhat.com>
2018-05-01 20:11 ` [PATCH] proc/kcore: Don't bounds check against address 0 Laura Abbott
2018-05-01 21:46 ` Andrew Morton
2018-05-01 22:26 ` Laura Abbott
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).